Contracting for Security in Your Mobile App
An Article from Matt Cohen of Clareity Consulting
Posted by: Clareity Consulting
All sorts of businesses are being told that they need to write an "app". Unfortunately, mobile apps constitute a new frontier in contracting that most companies and their attorneys don't yet have a firm grip on. When it comes to ensuring the software you license or have built for you has taken appropriate steps to ensure the confidentiality, integrity and availability (CIA) of data as well as the appropriate levels of authentication, authorization, and accounting (AAA) is employed, your main tool is going to be contractual.
While I am not an attorney, and you should consult your attorney for actual legal advice toward constructing any agreement, I understand both the business end and technical part of software development. And while some attorneys might be satisfied to use a phrase like, "Developer will take reasonable care to ensure the confidentiality of the data," or "Developer will follow information security best practices," I far prefer to also see specific auditable practices described, such that a security auditor and/or judge can understand the specific business requirements and practices that were required and expected to be fulfilled by the vendor or developers. It sure beats paying attorneys to have the court hash out what "reasonable care" meant in this situation later.